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1. Introduction 

This standard specifies the Rijndael algorithm ([3] and [4]), a symmetric block cipher that can 
process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. 
Rijndael was designed to handle additional block sizes and key lengths, however they are not 
adopted in this standard. 

Throughout the remainder of this standard, the algorithm specified herein will be referred to as 
“the AES algorithm.” The algorithm may be used with the three different key lengths indicated 
above, and therefore these different “flavors” may be referred to as “AES-128”, “AES-192”, and 
“AES-256”. 

This specification includes the following sections: 

2. Definitions of terms, acronyms, and algorithm parameters, symbols, and functions; 

3. Notation and conventions used in the algorithm specification, including the ordering and 
numbering of bits, bytes, and words; 

4. Mathematical properties that are useful in understanding the algorithm; 

5. Algorithm specification, covering the key expansion, encryption, and decryption routines; 

6. Implementation issues, such as key length support, keying restrictions, and additional 
block/key/round sizes. 

The standard concludes with several appendices that include step-by-step examples for Key 
Expansion and the Cipher, example vectors for the Cipher and Inverse Cipher, and a list of 
references. 


2. Definitions 


2.1 Glossary of Terms and Acronyms 

The following definitions are used throughout this standard: 

AES 

Advanced Encryption Standard 

Affine 

Transformation 

A transformation consisting of multiplication by a matrix followed by 
the addition of a vector. 

Array 

An enumerated collection of identical entities (e.g., an array of bytes). 

Bit 

A binary digit having a value of 0 or 1. 

Block 

Sequence of binary bits that comprise the input, output, State, and 
Round Key. The length of a sequence is the number of bits it contains. 
Blocks are also interpreted as arrays of bytes. 

Byte 

A group of eight bits that is treated either as a single entity or as an 
array of 8 individual bits. 
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Cipher 


Series of transformations that converts plaintext to ciphertext using the 
Cipher Key. 

Cipher Key Secret, cryptographic key that is used by the Key Expansion routine to 
generate a set of Round Keys; can be pictured as a rectangular array of 
bytes, having four rows and Nk columns. 

Ciphertext Data output from the Cipher or input to the Inverse Cipher. 

Inverse Cipher Series of transformations that converts ciphertext to plaintext using the 
Cipher Key. 

Key Expansion Routine used to generate a series of Round Keys from the Cipher Key. 

Plaintext Data input to the Cipher or output from the Inverse Cipher. 

Rijndael Cryptographic algorithm specified in this Advanced Encryption 

Standard (AES). 

Round Key Round keys are values derived from the Cipher Key using the Key 

Expansion routine; they are applied to the State in the Cipher and 
Inverse Cipher. 

State Intermediate Cipher result that can be pictured as a rectangular array 

of bytes, having four rows and Nb columns. 

S-box Non-linear substitution table used in several byte substitution 

transformations and in the Key Expansion routine to perform a one- 
for-one substitution of a byte value. 

Word A group of 32 bits that is treated either as a single entity or as an array 

of 4 bytes. 

2.2 Algorithm Parameters, Symbols, and Functions 

The following algorithm parameters, symbols, and functions are used throughout this standard: 

AddRoundKey () Transformation in the Cipher and Inverse Cipher in which a Round 

Key is added to the State using an XOR operation. The length of a 
Round Key equals the size of the State (i.e., for Nb = 4, the Round 
Key length equals 128 bits/16 bytes). 

InvMixColumns () Transformation in the Inverse Cipher that is the inverse of 

MixColumns (). 

InvShiftRows () Transformation in the Inverse Cipher that is the inverse of 

Shi ft Rows (). 

InvSubBytes () Transformation in the Inverse Cipher that is the inverse of 

SubBytes (). 

K Cipher Key. 
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MixColumns () 


Nb 

Nk 

Nr 

Rcon[] 
RotWord() 

ShiftRows () 

SubBytes () 

SubWord() 

XOR 

© 


Transformation in the Cipher that takes all of the columns of the 
State and mixes their data (independently of one another) to 
produce new columns. 

Number of columns (32-bit words) comprising the State. For this 
standard, Nb = 4. (Also see Sec. 6.3.) 

Number of 32-bit words comprising the Cipher Key. For this 
standard, Nk = 4, 6, or 8. (Also see Sec. 6.3.) 

Number of rounds, which is a function of Nk and Nb (which is 
fixed). For this standard, Nr = 10, 12, or 14. (Also see Sec. 6.3.) 

The round constant word array. 

Function used in the Key Expansion routine that takes a four-byte 
word and performs a cyclic permutation. 

Transformation in the Cipher that processes the State by cyclically 
shifting the last three rows of the State by different offsets. 

Transformation in the Cipher that processes the State using a non¬ 
linear byte substitution table (S-box) that operates on each of the 
State bytes independently. 

Function used in the Key Expansion routine that takes a four-byte 
input word and applies an S-box to each of the four bytes to 
produce an output word. 

Exclusive-OR operation. 

Exclusive-OR operation. 

Multiplication of two polynomials (each with degree < 4) modulo 
x 4 + 1. 

Finite field multiplication. 


3. Notation and Conventions 

3.1 Inputs and Outputs 

The input and output for the AES algorithm each consist of sequences of 128 bits (digits with 
values of 0 or 1). These sequences will sometimes be referred to as blocks and the number of 
bits they contain will be referred to as their length. The Cipher Key for the AES algorithm is a 
sequence of 128,192 or 256 bits. Other input, output and Cipher Key lengths are not permitted 
by this standard. 

The bits within such sequences will be numbered starting at zero and ending at one less than the 
sequence length (block length or key length). The number i attached to a bit is known as its index 
and will be in one of the ranges 0 < / < 128, 0 < i < 192 or 0 < i < 256 depending on the block 
length and key length (specified above). 
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3.2 Bytes 

The basic unit for processing in the AES algorithm is a byte, a sequence of eight bits treated as a 
single entity. The input, output and Cipher Key bit sequences described in Sec. 3.1 are processed 
as arrays of bytes that are formed by dividing these sequences into groups of eight contiguous 
bits to form arrays of bytes (see Sec. 3.3). For an input, output or Cipher Key denoted by a, the 
bytes in the resulting array will be referenced using one of the two forms, a n or a[n\, where n will 
be in one of the following ranges: 

Key length = 128 bits, 0 < n < 16; Block length = 128 bits, 0 < n < 16; 

Key length =192 bits, 0 < n < 24; 

Key length = 256 bits, 0 < n < 32. 

All byte values in the AES algorithm will be presented as the concatenation of its individual bit 
values (0 or 1) between braces in the order {b-j, b$, b$, 64 , b% 62 , b\, bo}. These bytes are 
interpreted as finite field elements using a polynomial representation: 

7 

b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b l x + b 0 = y b t x l . (3.1) 

1=0 

For example, { 01100011 } identifies the specific finite field element x 6 + x 5 + x +1 . 

It is also convenient to denote byte values using hexadecimal notation with each of two groups of 
four bits being denoted by a single character as in Fig. 1. 


Bit Pattern 

Character 

0100 

4 

0101 

5 

0110 

6 

0111 

7 


Bit Pattern 

Character 

1000 

8 

1001 

9 

1010 

a 

1011 

b 


Bit Pattern 

Character 

1100 

C 

1101 

d 

1110 

e 

1111 

f 


Bit Pattern 

Character 

0000 

0 

0001 

1 

0010 

2 

0011 

3 


Figure 1. Hexadecimal representation of bit patterns. 

Hence the element { 01100011 } can be represented as { 63 }, where the character denoting the 
four-bit group containing the higher numbered bits is again to the left. 

Some finite field operations involve one additional bit (b$) to the left of an 8-bit byte. Where this 
extra bit is present, it will appear as ‘{01 }’ immediately preceding the 8-bit byte; for example, a 
9-bit sequence will be presented as {01}{lb}. 


3.3 Arrays of Bytes 

Arrays of bytes will be represented in the following form: 


q C/L ^ ^ 2 * * | ^ 


The bytes and the bit ordering within bytes are derived from the 128-bit input sequence 


as follows: 


inputo inputi input 2 ... inputs inputni 
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ao = { inputo, inputi, ..., inputj }; 
a\ = {inputs, input 9 , /npn/ 15 }; 


«i5 = {inputno, input 121, input 127}. 

The pattern can be extended to longer sequences (i.e., for 192- and 256-bit keys), so that, in 
general, 

a„ = { inputs,,, inpuhn+i, ■■■, inpuh„ + i }. (3.2) 


Taking Sections 3.2 and 3.3 together, Fig. 2 shows how bits within each byte are numbered. 


Input bit sequence 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Byte number 

0 

1 

2 


Bit numbers in byte 

7 

6 

5 

4 

3 

2 

1 

0 

7 

6 

5 

4 

3 

2 

1 

□ 

7 

6 

5 

4 

3 

2 

1 

H 



Figure 2. Indices for Bytes and Bits. 


3.4 The State 


Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytes 
called the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb is 
the block length divided by 32. In the State array denoted by the symbol s, each individual byte 
has two indices, with its row number r in the range 0 < r < 4 and its column number c in the 
range 0 < c < Nb. This allows an individual byte of the State to be referred to as either s rx or 
5 [r,c], For this standard, Nb=4, i.e., 0 < c < 4 (also see Sec. 6.3). 


At the start of the Cipher and Inverse Cipher described in Sec. 5, the input - the array of bytes 
/no, in 1 , ... in 15 - is copied into the State array as illustrated in Fig. 3. The Cipher or Inverse 
Cipher operations are then conducted on this State array, after which its final value is copied to 
the output - the array of bytes outo, out \,... on/15. 


input bytes 


in 0 

in 4 

ins 

inn 

in\ 

in 5 

in 9 

inn 

in 2 

in 6 

in l0 

in u 

m3 

in 2 

in n 

in n 


State array 


So,o 

^ 0,1 

So,2 

So,3 

S\,o 

Si,i 

S 1,2 

Sl,3 

£ 2,0 

$2,1 

^ 2,2 

S2,3 

£ 3,0 

£ 3,1 

S 3,2 

S 3 ,3 




output bytes 


OUto 

out 4 

outs 

out\ 2 

OUti 

out 5 

OUtg 

outn 

out 2 

out 6 

OUt\o 

OUt\ 4 

out 3 

OUtj 

out n 

outn 


Figure 3. State array input and output. 


Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in, is copied to the State 
array according to the scheme: 

s[r, c] = in[r + 4c] for 0 < r < 4 and 0 < c < Nb, (3.3) 
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and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out as 
follows: 

out[r + 4c] = ^[r, c ] for 0 < r < 4 and 0 < c < Nb. (3.4) 

3.5 The State as an Array of Columns 

The four bytes in each column of the State array form 32-bit words, where the row number r 
provides an index for the four bytes within each word. The state can hence be interpreted as a 
one-dimensional array of 32 bit words (columns), W0...W3, where the column number c provides 
an index into this array. Hence, for the example in Fig. 3, the State can be considered as an array 
of four words, as follows: 

WO = So,0 Sl,0 ^2,0 *^3,0 W2 = So,2 Si,2 S2,2 S3,2 

"'| = S'o.i S1.1 S'2,1 S3.1 W3 = So ,3 Si,3 S 2,3 S3,3 . ( 3 . 5 ) 


4. Mathematical Preliminaries 

All bytes in the AES algorithm are interpreted as finite field elements using the notation 
introduced in Sec. 3.2. Finite field elements can be added and multiplied, but these operations 
are different from those used for numbers. The following subsections introduce the basic 
mathematical concepts needed for Sec. 5. 

4.1 Addition 

The addition of two elements in a finite field is achieved by “adding” the coefficients for the 
corresponding powers in the polynomials for the two elements. The addition is performed with 
the XOR operation (denoted by ©) - i.e., modulo 2 - so that 101 = 0, 100 = 1, and 000 = 0. 
Consequently, subtraction of polynomials is identical to addition of polynomials. 

Alternatively, addition of finite field elements can be described as the modulo 2 addition of 
corresponding bits in the byte. For two bytes {a 7 a 6 a 5 a 4 a 3 a 2 aia 0 } and {b 7 b 6 b 5 b 4 b 3 b 2 b l b 0 }, the sum is 
{c 7 c 6 C 5 C 4 C 3 C 2 C 1 Co}, where each c,- = a, © bi (i.e., c 7 = a 7 ® b 7 , c 6 = a 6 ® b 6 , ...c 0 = a 0 ® b 0 ). 

For example, the following expressions are equivalent to one another: 

(x 6 + x 4 + x 2 + x + l) + (x 7 + x + 1 ) = x 7 + x 6 + x 4 + x 2 (polynomial notation); 

{01010111} © {10000011} = {11010100} (binary notation); 

{57} © {83} = {d4} (hexadecimal notation). 

4.2 Multiplication 

In the polynomial representation, multiplication in GF(2 8 ) (denoted by •) corresponds with the 
multiplication of polynomials modulo an irreducible polynomial of degree 8 . A polynomial is 
irreducible if its only divisors are one and itself. For the AES algorithm, this irreducible 
polynomial is 

m(x) = x 8 +x 4 +x 3 +X-I- 1 , ( 4 . 1 ) 
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or {01} {lb} in hexadecimal notation. 

For example, {57} • {83} = {cl}, because 

(x * 3 + x 4 + x 2 + X + 1) (X 7 + X +1) = x 13 +X * 1 + x 9 + x 8 +x 7 + 

x 7 + x 5 + x 3 + x 2 + X + 
x 6 + x 4 + x 2 +X + 1 

= X 13 +X 11 +x 9 +x 8 +x 6 +x 5 +x 4 +x 3 +1 

and 


x 13 + X 11 + x 9 + x 8 + x 9 + x 5 +x 4 + x 3 +1 modulo (x 8 +x 4 +x 3 +x + l) 

= x 7 + x 6 + 1 . 

The modular reduction by m(x) ensures that the result will be a binary polynomial of degree less 
than 8 , and thus can be represented by a byte. Unlike addition, there is no simple operation at the 
byte level that corresponds to this multiplication. 

The multiplication defined above is associative, and the element { 01 } is the multiplicative 
identity. For any non-zero binary polynomial b{x) of degree less than 8 , the multiplicative 
inverse of b(x), denoted //'(x), can be found as follows: the extended Euclidean algorithm [7] is 
used to compute polynomials a(x) and c(x) such that 

b(x)a(x) + m(x)c(x) - 1. (4.2) 

Hence, a(x) • b{x) mod m(x) = 1, which means 

b~ l (x) = a(x)modm(x). (4.3) 

Moreover, for any a(x), b(x) and c(x) in the field, it holds that 

a(x) • ( b(x ) + c(x)) = a(x) • b{x) + a{x) • c(x) . 

It follows that the set of 256 possible byte values, with XOR used as addition and the 
multiplication defined as above, has the structure of the finite field GF(2 8 ). 


4.2.1 Multiplication by x 

Multiplying the binary polynomial defined in equation (3.1) with the polynomial x results in 

b 1 x i +b 6 x 1 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b { x 2 +b 0 x. (4.4) 

The result x • b(x) is obtained by reducing the above result modulo m(x), as defined in equation 
(4.1). If by = 0, the result is already in reduced form. If by = 1, the reduction is accomplished by 
subtracting (i.e., XORing) the polynomial mix). It follows that multiplication by x (i.e., 
{00000010} or {02}) can be implemented at the byte level as a left shift and a subsequent 
conditional bitwise XOR with {lb}. This operation on bytes is denoted by xtime(). 
Multiplication by higher powers of x can be implemented by repeated application of xt ime (). 
By adding intermediate results, multiplication by any constant can be implemented. 

For example, {57} • {13} = {fe} because 
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thus, 


{57} *{02} = xtime({57}) = {ae} 

{57} *{04} = xtime({ae}) = {47} 

{57} • {08} = xtime({47}) = {8e} 

{57} • {10} = xtime({8e}) = {07}, 

{57} • {13} = {57} *({01} © {02} © {10}) 
= {57}©{ae}©{07} 

= {fe}. 


4.3 Polynomials with Coefficients in GF(2 8 ) 

Four-term polynomials can be defined - with coefficients that are finite field elements - as: 

a(x) - a 3 x 3 +a 2 x 2 +a l x + a 0 (4.5) 

which will be denoted as a word in the form [ao, a\, ch , <33 ] . Note that the polynomials in this 
section behave somewhat differently than the polynomials used in the definition of finite field 
elements, even though both types of polynomials use the same indeterminate, x. The coefficients 
in this section are themselves finite field elements, i.e., bytes, instead of bits; also, the 
multiplication of four-term polynomials uses a different reduction polynomial, defined below. 
The distinction should always be clear from the context. 

To illustrate the addition and multiplication operations, let 

b(x) — b 3 x 3 + b 2 x 2 + b x x + b 0 (4.6) 

define a second four-term polynomial. Addition is performed by adding the finite field 
coefficients of like powers of x. This addition corresponds to an XOR operation between the 
corresponding bytes in each of the words - in other words, the XOR of the complete word 
values. 

Thus, using the equations of (4.5) and (4.6), 

a(x) + b(x) = ( a 3 ®b 3 )x 3 +(a 2 ®b 2 )x 2 + («i ®b l )x + (a 0 ®b 0 ) (4.7) 

Multiplication is achieved in two steps. In the first step, the polynomial product c(x) = a(x) • 

b(x) is algebraically expanded, and like powers are collected to give 

c(x) = c 6 x 6 + c 5 x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + qx + c 0 (4.8) 

where 

c 0 -a 0 • b 0 c 4 - a 3 • b x © a 2 • b 2 © a { • b 3 

q = a x • b 0 © a 0 • b x c 5 =a 3 *b 2 ® a 2 • b 3 

c 2 = a 2 • b 0 ® ciy • by ® a 0 • b 2 c 6 -a 3 • b 3 (4.9) 
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c 3 = a 3 • b 0 © a 2 • b x © a l • b 2 © a 0 • b 3 . 

The result, c(x), does not represent a four-byte word. Therefore, the second step of the 
multiplication is to reduce c(x) modulo a polynomial of degree 4; the result can be reduced to a 
polynomial of degree less than 4. For the AES algorithm, this is accomplished with the 
polynomial x 4 + 1, so that 

x‘ mod(x 4 +1) = x ,mod4 . (4.10) 

The modular product of a(x ) and b(x), denoted by a(x) ® b(x), is given by the four-term 
polynomial d(x), defined as follows: 

d{x) = d 3 x 3 +d 2 x 2 +d { x +d 0 (4.11) 

with 

d 0 = (a 0 • b 0 ) © (a 3 • b x ) © (a 2 • b 2 ) © (a l •b 3 ) 
d x =(a l •b 0 )® ( a 0 • b x ) © (a 3 • b 2 ) © ( a 2 »b 3 ) (4.12) 

d 2 - (a 2 • b 0 ) © • b x ) ® (a 0 • b 2 ) ® ( a 3 *b 3 ) 

d 3 =(a 3 • b 0 )©( a 2 •b l )®(a l *b 2 )® (a 0 *b 3 ) 

When a(x) is a fixed polynomial, the operation defined in equation (4.11) can be written in 
matrix form as: 



(4.13) 


Because x 4 +1 is not an irreducible polynomial over GF(2 8 ), multiplication by a fixed four-term 
polynomial is not necessarily invertible. However, the AES algorithm specifies a fixed four-term 
polynomial that does have an inverse (see Sec. 5.1.3 and Sec. 5.3.3): 

a(x) = { 0 3 }x +{01 }x +{01 }x +{02} (4.14) 

a \x) = {0b}x 3 + {0d}x 2 + {0 9}x+ {0e}. (4.15) 


Another polynomial used in the AES algorithm (see the RotWord () function in Sec. 5.2) has ciq 
= a\ = <32 = {00} and = {01}, which is the polynomial x 3 . Inspection of equation (4.13) above 
will show that its effect is to form the output word by rotating bytes in the input word. This 
means that [bo, b\, bo, bo] is transformed into [b\, b2, bo,, bo]. 


5. Algorithm Specification 

For the AES algorithm, the length of the input block, the output block and the State is 128 
bits. This is represented by Nb = 4, which reflects the number of 32-bit words (number of 
columns) in the State. 
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For the AES algorithm, the length of the Cipher Key, K, is 128, 192, or 256 bits. The key 
length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words (number of 
columns) in the Cipher Key. 

For the AES algorithm, the number of rounds to be performed during the execution of the 
algorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr = 
10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8. 

The only Key-Block-Round combinations that conform to this standard are given in Fig. 4. 

For implementation issues relating to the key length, block size and number of rounds, see Sec. 
6.3. 



Key Length 

(Nk words) 

Block Size 

(Nb words) 

Number of 
Rounds 

(Nr) 

AES-128 

4 

4 

10 

AES-192 

6 

4 

12 

AES-256 

8 

4 

14 


Figure 4. Key-Block-Round Combinations. 


For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is 
composed of four different byte-oriented transformations: 1) byte substitution using a 
substitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing the 
data within each column of the State array, and 4) adding a Round Key to the State. These 
transformations (and their inverses) are described in Sec. 5.1.1-5.1.4 and 5.3.1-5.3.4. 

The Cipher and Inverse Cipher are described in Sec. 5.1 and Sec. 5.3, respectively, while the Key 
Schedule is described in Sec. 5.2. 

5.1 Cipher 

At the start of the Cipher, the input is copied to the State array using the conventions described in 
Sec. 3.4. After an initial Round Key addition, the State array is transformed by implementing a 
round function 10, 12, or 14 times (depending on the key length), with the final round differing 
slightly from the first Nr -1 rounds. The final State is then copied to the output as described in 
Sec. 3.4. 

The round function is parameterized using a key schedule that consists of a one-dimensional 
array of four-byte words derived using the Key Expansion routine described in Sec. 5.2. 

The Cipher is described in the pseudo code in Fig. 5. The individual transformations - 
SubBytes (), ShiftRows (), MixColumns (), and AddRoundKey () - process the State 
and are described in the following subsections. In Fig. 5, the array w[] contains the key 
schedule, which is described in Sec. 5.2. 

As shown in Fig. 5, all Nr rounds are identical with the exception of the final round, which does 
not include the MixColumns () transformation. 
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Appendix B presents an example of the Cipher, showing values for the State array at the 
beginning of each round and after the application of each of the four transformations described in 
the following sections. 


Cipher(byte in[ 4 *Nb], byte out[ 4 *Nb], word w[Nb*(Nr+ 1 )]) 
begin 

byte state[ 4 ,Nb] 
state = in 


AddRoundKey(state, w[ 0 , Nb- 1 ]) 

// 

See 

Sec. 

5 . 1.4 

for round = 1 step 1 to Nr -1 

SubBytes(state) 

// 

See 

Sec. 

5 . 1.1 

ShiftRows(state) 

// 

See 

Sec. 

5 . 1.2 

MixColumns(state) 

// 

See 

Sec. 

5 . 1.3 


AddRoundKey(state, w[round*Nb, (round+ 1 )*Nb-l]) 

end for 

SubBytes(state) 

ShiftRows(state) 

AddRoundKey(state, w[Nr*Nb, (Nr+ 1 )*Nb-l]) 
out = state 

end 


Figure 5. Pseudo Code for the Cipher. 1 


5.1.1 SubBytes () Transformation 

The SubBytes () transformation is a non-linear byte substitution that operates independently 
on each byte of the State using a substitution table (S-box). This S-box (Fig. 7), which is 
invertible, is constructed by composing two transformations: 

1. Take the multiplicative inverse in the finite field GF(2 8 ), described in Sec. 4.2; the 
element {00} is mapped to itself. 

2. Apply the following affine transformation (over GF(2)): 

b t — b t © ^(,+4) mod 8 ® ^(/+5)mod8 ® ^(z+6) mod 8 © ^((+7)mod8 © C i (5-1) 

for 0 < i < 8, where b, is the i th bit of the byte, and c, is the i ih bit of a byte c with the 
value {63} or {01100011}. Here and elsewhere, a prime on a variable (e.g., //) 
indicates that the variable is to be updated with the value on the right. 

In matrix form, the affine transformation element of the S-box can be expressed as: 


1 The various transformations (e.g., SubBytes (), ShiftRows (), etc.) act upon the State array that is addressed 
by the ‘state’ pointer. AddRoundKey () uses an additional pointer to address the Round Key. 
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Figure 6 illustrates the effect of the SubBytes () transformation on the State. 



Figure 6. SubBytes () applies the S-box to each byte of the State. 

The S-box used in the SubBytes () transformation is presented in hexadecimal form in Fig. 7. 

For example, if .sy, ={53}, then the substitution value would be determined by the intersection 
of the row with index ‘5’ and the column with index ‘3’ in Fig. 7. This would result in ^ having 
a value of {ed}. 
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Figure 7. S-box: substitution values for the byte xy (in hexadecimal format). 
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5.1.2 Shi f tRows () Transformation 

In the Shi ft Rows () transformation, the bytes in the last three rows of the State are cyclically 
shifted over different numbers of bytes (offsets). The first row, r = 0, is not shifted. 

Specifically, the ShiftRows () transformation proceeds as follows: 

S r,c ~ S r,(c+shift(r,Nb))raoANb for 0 < T < 4 and 0 < C < Nb, (5.3) 

where the shift value shift(r,Nb ) depends on the row number, r, as follows (recall that Nb = 4): 

shiftdA) = 1 ; shift (2,d) = 2; shift{ 3,4) = 3 . (5.4) 

This has the effect of moving bytes to “lower” positions in the row (i.e., lower values of c in a 
given row), while the “lowest” bytes wrap around into the “top” of the row (i.e., higher values of 
c in a given row). 

Figure 8 illustrates the ShiftRows () transformation. 
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S 3,l 
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S ’ 
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^3,0 

^3,1 
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□*1 

fLUL 

□*1 

H_UL 

05 


Figure 8. ShiftRows () cyclically shifts the last three rows in the State. 


5.1.3 MixColumns () Transformation 

The MixColumns ( ) transformation operates on the State column-by-column, treating each 
column as a four-term polynomial as described in Sec. 4.3. The columns are considered as 
polynomials over GF(2 8 ) and multiplied modulo x 4 + 1 with a fixed polynomial a(x), given by 

a(x ) = {0 3 }x 3 + {01 }x 2 + {01 }x + {0 2 } . (5.5) 

As described in Sec. 4.3, this can be written as a matrix multiplication. Let 

s\x) = a(x) ® s(x): 
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for 0 < c < Nb. 


(5.6) 


3 0,c 


lc 


J 2,c 


J 3,c 


02 03 01 01 
01 02 03 01 
01 01 02 03 
03 01 01 02 


0,c 


l,c 


2,c 


3 3,c 


As a result of this multiplication, the four bytes in a column are replaced by the following: 

S 0,c = ({ 02 } * So >C ) 0 (I 03 ! * V) 0 5 2 ,c® *3, c 

Kc = .v 0c © ({02} • s lc ) © ({03} • S 2c )® s 3c 

5 2, c = s o,c® ({02} • s 2,c) © ({03} • O 

5 3, c = ({03} • s 0,c) ® V® ^2,c® ({ 02 } • S Xc ). 


Figure 9 illustrates the MixColumns () transformation. 



Figure 9. MixColumns () operates on the State column-by-column. 


5.1.4 AddRoundKey () Transformation 

In the AddRoundKey () transformation, a Round Key is added to the State by a simple bitwise 
XOR operation. Each Round Key consists of Nb words from the key schedule (described in Sec. 
5.2). Those Nb words are each added into the columns of the State, such that 


[S’0,c 


l,c 


2 ,c 


3 ,c 


] = K 


c ’ S l,c ’ S 2,c ’ ^3,c 


] ® [W 


round *Nb+c 


] for 0 < c < Nb, 


(5.7) 


where [vv,] are the key schedule words described in Sec. 5.2, and round is a value in the range 
0< round <Nr. In the Cipher, the initial Round Key addition occurs when round = 0, prior to 
the first application of the round function (see Fig. 5). The application of the AddRoundKey () 
transformation to the Nr rounds of the Cipher occurs when 1 < round <Nr. 

The action of this transformation is illustrated in Fig. 10, where / = round * Nb. The byte 
address within words of the key schedule was described in Sec. 3.1. 
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/ = round * Nb 


J o,o 


3 1,0 


3 2,0 


3,0 


3 0,c 


he 


3 2 ,c 


3 3,c 


,2 

^ 0,3 



ft * 

,2 

^ 2,3 

,2 

^ 3,3 




Figure 10, AddRoundKey () XORs each column of the State with a word 

from the key schedule. 


5.2 Key Expansion 

The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate a 
key schedule. The Key Expansion generates a total of Nb (Nr +1) words: the algorithm requires 
an initial set of Nb words, and each of the Nr rounds requires Nb words of key data. The 
resulting key schedule consists of a linear array of 4-byte words, denoted [vv, ], with i in the range 
0 < i < Nb(Nr + 1). 

The expansion of the input key into the key schedule proceeds according to the pseudo code in 
Fig. 11. 

SubWord () is a function that takes a four-byte input word and applies the S-box (Sec. 5.1.1, 
Fig. 7) to each of the four bytes to produce an output word. The function RotWord () takes a 
word [ao,a\,a 2 ,a^\ as input, performs a cyclic permutation, and returns the word [ai,< 22 .^ 3 ,«o]- The 
round constant word array, Rcon [ i ], contains the values given by [x'~ 7 , {0 0}, {0 0}, {0 0} ], with 
xbeing powers of x (x is denoted as {02}) in the field GF(2 8 ), as discussed in Sec. 4.2 (note 
that i starts at 1, not 0). 

From Fig. 11, it can be seen that the first Nk words of the expanded key are filled with the 
Cipher Key. Every following word, w[i], is equal to the XOR of the previous word, w[i-l], and 
the word Nk positions earlier, w[i-Nk], For words in positions that are a multiple of Nk, a 
transformation is applied to w[i-l] prior to the XOR, followed by an XOR with a round 
constant, Rcon [ i ]. This transformation consists of a cyclic shift of the bytes in a word 
(RotWord ()), followed by the application of a table lookup to all four bytes of the word 
(SubWord ()). 

It is important to note that the Key Expansion routine for 256-bit Cipher Keys (Nk = 8) is 
slightly different than for 128- and 192-bit Cipher Keys. If Nk = 8 and i-4 is a multiple of Nk, 
then SubWord () is applied to w[i-l] prior to the XOR. 
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KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)], Nk) 
begin 

word temp 
i = 0 

while (i < Nk) 

w[i] = word(key[4*i], key[4*i+l], key[4*i+2], key[4*i+3]) 
i = i+1 
end while 

i = Nk 

while (i < Nb * (Nr+1)] 
temp = w[i-1] 
if (i mod Nk = 0) 

temp = SubWord(RotWord(temp)) xor Rcon[i/Nk] 
else if (Nk > 6 and i mod Nk = 4) 
temp = SubWord(temp) 
end if 

w[i] = w[i-Nk] xor temp 
i = i + 1 
end while 

end 

Note that Nk= 4, 6, and 8 do not all have to be implemented; 
they are all included in the conditional statement above for 
conciseness. Specific implementation requirements for the 
Cipher Key are presented in Sec. 6.1. 


Figure 11. Pseudo Code for Key Expansion. 2 

Appendix A presents examples of the Key Expansion. 

5.3 Inverse Cipher 

The Cipher transformations in Sec. 5.1 can be inverted and then implemented in reverse order to 
produce a straightforward Inverse Cipher for the AES algorithm. The individual transformations 
used in the Inverse Cipher - InvShiftRows (), InvSubBytes () ,InvMixColumns (), 
and AddRoundKey () - process the State and are described in the following subsections. 

The Inverse Cipher is described in the pseudo code in Fig. 12. In Fig. 12, the array w [ ] contains 
the key schedule, which was described previously in Sec. 5.2. 


2 The functions SubWord () and RotWord () return a result that is a transformation of the function input, whereas 
the transformations in the Cipher and Inverse Cipher (e.g., ShiftRows (), SubBytes (), etc.) transform the 
State array that is addressed by the ‘state’ pointer. 


20 



InvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)]) 
begin 

byte state[4,Nb] 

state = in 


AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-l]) // See Sec. 

5.1.4 

for round = Nr-1 step -1 downto 1 

InvShiftRows(state) // See Sec. 

InvSubBytes(state) // See Sec. 

AddRoundKey(state, w[round*Nb, (round+1)*Nb-l]) 

InvMixColumns(state) // See Sec. 

end for 

5.3.1 

5.3.2 

5.3.3 

InvShiftRows(state) 

InvSubBytes(state) 

AddRoundKey(state, w[0, Nb-1]) 


out = state 

end 



Figure 12. Pseudo Code for the Inverse Cipher. 3 


5.3.1 invShiftRows () Transformation 

InvShiftRows () is the inverse of the ShiftRows () transformation. The bytes in the last 
three rows of the State are cyclically shifted over different numbers of bytes (offsets). The first 
row, r = 0, is not shifted. The bottom three rows are cyclically shifted by Nb — shift(r,Nb) 
bytes, where the shift value shift(r,Nb) depends on the row number, and is given in equation (5.4) 
(see Sec. 5.1.2). 

Specifically, the InvShiftRows () transformation proceeds as follows: 

s rXc +S hmr,Nb)) m odNb= s r,c for 0 < t< 4 and 0 <c<Nb (5.8) 

Figure 13 illustrates the InvShiftRows () transformation. 


3 The various transformations (e.g., InvSubBytes (), InvShiftRows (), etc.) act upon the State array that is 
addressed by the ‘state’ pointer. AddRoundKey () uses an additional pointer to address the Round Key. 
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Figure 13 . InvShiftRows () cyclically shifts the last three rows in the State. 


5.3.2 invSubBytes () Transformation 

InvSubBytes () is the inverse of the byte substitution transformation, in which the inverse S- 
box is applied to each byte of the State. This is obtained by applying the inverse of the affine 
transformation (5.1) followed by taking the multiplicative inverse in GF(2 8 ). 

The inverse S-box used in the InvSubBytes () transformation is presented in Fig. 14: 
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Figure 14. Inverse S-box: substitution values for the byte xy (in 

hexadecimal format). 
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5.3.3 invMixColumns ( ) Transformation 

InvMixColumns ( ) is the inverse of the MixColumns () transformation. 
InvMixColumns ( ) operates on the State column-by-column, treating each column as a four- 
term polynomial as described in Sec. 4.3. The columns are considered as polynomials over 
GF(2 8 ) and multiplied modulo x 4 + 1 with a fixed polynomial a 1 (x), given by 

a l (x ) = {0b}x 3 + {0d}x 2 + {09}x + {Oe}. (5.9) 

As described in Sec. 4.3, this can be written as a matrix multiplication. Let 

/(x) = a~ l (x) © s(x): 


0 ,c 
1 ,c 


s 


2 ,c 


S 


3 ,c 


Oe 

0b 

0 d 

09 

Oe 

0b 

0 d 

09 

Oe 

0b 

0 d 

09 


09 
0 d 
Ob 
Oe 



^0,c 


*l fC 


S 2,c 

-1 

l 

OJ 

rs 

1_ 


for 0 < c < Nb. 


(5.10) 


As a result of this multiplication, the four bytes in a column are replaced by the following: 
s'o, c = ({Oe} • s 0c ) © ({Ob} • s u ) ® ({0d} • s 2c ) ® ({09} • s 3c ) 

s' u = ({09} • s 0c ) © ({Oe} • s u ) © ({Ob} • s 2c )® ({0d} • s 3c ) 

s 2 ,c = ({° d } • s 0iC ) © ({09} • s lc ) © ({0e} • s 2>c ) © ({0b} • s 3c ) 

s' 3c = ({0b} • 5 0c ) © ({0d} • s u ) © ({09} • ^ 2jC ) © ({0e} • s 3c ) 


5.3.4 Inverse of the AddRoundKey () Transformation 

AddRoundKey (), which was described in Sec. 5.1.4, is its own inverse, since it only involves 
an application of the XOR operation. 

5.3.5 Equivalent Inverse Cipher 

In the straightforward Inverse Cipher presented in Sec. 5.3 and Fig. 12, the sequence of the 
transformations differs from that of the Cipher, while the form of the key schedules for 
encryption and decryption remains the same. However, several properties of the AES algorithm 
allow for an Equivalent Inverse Cipher that has the same sequence of transformations as the 
Cipher (with the transformations replaced by their inverses). This is accomplished with a change 
in the key schedule. 

The two properties that allow for this Equivalent Inverse Cipher are as follows: 


1. The SubBytes() and ShiftRows() transformations commute; that is, a 
SubBytes() transformation immediately followed by a ShiftRows() 
transformation is equivalent to a Shi f tRows () transformation immediately 
followed buy a SubBytes () transformation. The same is true for their inverses, 

InvSubBytes () and InvShiftRows. 
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2. The column mixing operations - MixColumns () and InvMixColumns () - are 
linear with respect to the column input, which means 

InvMixColumns(state XOR Round Key) = 

InvMixColumns(state) XOR InvMixColumns(Round Key). 


These properties allow the order of InvSubBytes () and InvShiftRows () 
transformations to be reversed. The order of the AddRoundKey () and InvMixColumns () 
transformations can also be reversed, provided that the columns (words) of the decryption key 
schedule are modified using the InvMixColumns () transformation. 

The equivalent inverse cipher is defined by reversing the order of the InvSubBytes () and 
InvShiftRows () transformations shown in Fig. 12, and by reversing the order of the 
AddRoundKey () and InvMixColumns () transformations used in the “round loop” after 
first modifying the decryption key schedule for round = 1 to Nr-l using the 

InvMixColumns () transformation. The first and last Nb words of the decryption key 
schedule shall not be modified in this manner. 

Given these changes, the resulting Equivalent Inverse Cipher offers a more efficient structure 
than the Inverse Cipher described in Sec. 5.3 and Fig. 12. Pseudo code for the Equivalent 
Inverse Cipher appears in Fig. 15. (The word array dw[] contains the modified decryption key 
schedule. The modification to the Key Expansion routine is also provided in Fig. 15.) 
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EqlnvCipher(byte in[4*Nb], byte out[4*Nb], word dw[Nb*(Nr+1)]) 
begin 

byte state[4,Nb] 
state = in 

AddRoundKey(state, dw[Nr*Nb, (Nr+1)*Nb-l]) 

for round = Nr-1 step -1 downto 1 
InvSubBytes(state) 

InvShiftRows(state) 

InvMixColumns(state) 

AddRoundKey(state, dw[round*Nb, (round+1)*Nb-l]) 
end for 

InvSubBytes(state) 

InvShiftRows(state) 

AddRoundKey(state, dw[0, Nb-1]) 

out = state 

end 


For the Equivalent Inverse Cipher, the following pseudo code is added at 
the end of the Key Expansion routine (Sec. 5.2): 

for i = 0 step 1 to (Nr+l)*Nb-l 
dw [ i ] = w [ i ] 
end for 

for round = 1 step 1 to Nr-1 

InvMixColumns(dw[round*Nb, (round+1)*Nb-l]) // note change of 

type 

end for 

Note that, since InvMixColumns operates on a two-dimensional array of bytes 
while the Round Keys are held in an array of words, the call to 
InvMixColumns in this code sequence involves a change of type (i.e. the 
input to InvMixColumns() is normally the State array, which is considered 
to be a two-dimensional array of bytes, whereas the input here is a Round 
Key computed as a one-dimensional array of words). 


Figure 15. Pseudo Code for the Equivalent Inverse Cipher. 


6. Implementation Issues 

6.1 Key Length Requirements 

An implementation of the AES algorithm shall support at least one of the three key lengths 
specified in Sec. 5: 128, 192, or 256 bits (i.e., Nk = 4, 6, or 8, respectively). Implementations 
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may optionally support two or three key lengths, which may promote the interoperability of 
algorithm implementations. 

6.2 Keying Restrictions 

No weak or semi-weak keys have been identified for the AES algorithm, and there is no 
restriction on key selection. 

6.3 Parameterization of Key Length, Block Size, and Round Number 

This standard explicitly defines the allowed values for the key length (Nk), block size (Nb), and 
number of rounds (Nr) - see Fig. 4. However, future reaffirmations of this standard could 
include changes or additions to the allowed values for those parameters. Therefore, 
implementers may choose to design their AES implementations with future flexibility in mind. 

6.4 Implementation Suggestions Regarding Various Platforms 

Implementation variations are possible that may, in many cases, offer performance or other 
advantages. Given the same input key and data (plaintext or ciphertext), any implementation that 
produces the same output (ciphertext or plaintext) as the algorithm specified in this standard is an 
acceptable implementation of the AES. 

Reference [3] and other papers located at Ref. [1] include suggestions on how to efficiently 
implement the AES algorithm on a variety of platforms. 
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Appendix A - Key Expansion Examples 

This appendix shows the development of the key schedule for various key sizes. Note that multi¬ 
byte values are presented using the notation described in Sec. 3. The intermediate values 
produced during the development of the key schedule (see Sec. 5.2) are given in the following 
table (all values are in hexadecimal format, with the exception of the index column (i)). 

A.1 Expansion of a 128-bit Cipher Key 

This section contains the key expansion of the following cipher key: 

Cipher Key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 

for Nk = 4, which results in 

Wo = 2b7el516 W\ = 28aed2a6 W2 = abf71588 W3 = 09cf4f3c 


i 

(dec) 

temp 

After 

RotWord() 

After 

SubWord() 

Rcon[i/Nk] 

After XOR 
with Rcon 

w[i-Nk] 

w[i] = 
temp XOR 
w[i-Nk] 

4 

09cf4f3c 

cf4f3c09 

8a84eb01 

01000000 

8b84eb01 

2b7el516 

a0fafel7 

5 

a0fafel7 





28aed2a6 

88542cbl 

6 

88542cbl 





abf71588 

23a33939 

7 

23a33939 





09cf4f3c 

2a6c7605 

8 

2a6c7605 

6c76052a 

50386be5 

02000000 

52386be5 

a0fafel7 

f2c295f2 

9 

f2c295f2 





88542cbl 

7a96b943 

10 

7a96b943 





23a33939 

5935807a 

11 

5935807a 





2a6c7605 

7359f67f 

12 

7359f67f 

59f67f73 

cb42d28f 

04000000 

cf42d28f 

f2c295f2 

3d80477d 

13 

3d80477d 





7a96b943 

4716fe3e 

14 

4716fe3e 





5935807a 

Ie237e44 

15 

Ie237e44 





7359f67f 

6d7a883b 

16 

6d7a883b 

7a883b6d 

dac4e23c 

08000000 

d2c4e23c 

3d80477d 

ef44a541 

17 

ef44a541 





4716fe3e 

a8525b7f 

18 

a8525b7f 





Ie237e44 

b671253b 

19 

b671253b 





6d7a883b 

dbObadOO 

20 

dbObadOO 

ObadOOdb 

2b9563b9 

10000000 

3b9563b9 

ef44a541 

d4dlc6f8 

21 

d4dlc6f8 





a8525b7f 

7c839d87 

22 

7c839d87 





b671253b 

caf2b8bc 

23 

caf2b8bc 





dbObadOO 

Ilf915bc 


27 




24 

Ilf915bc 

f915bcll 

99596582 

20000000 

b9596582 

d4dlc6f 8 

6d88a37a 

25 

6d88a37a 





7c839d87 

110b3efd 

26 

110b3efd 





caf 2 b 8 bc 

dbf98641 

27 

dbf98641 





Ilf915bc 

ca0093fd 

28 

ca0093fd 

0093fdca 

63dc5474 

40000000 

23dc5474 

6d88a37a 

4e54f70e 

29 

4e54f70e 





110b3efd 

5f5fc9f3 

30 

5f5fc9f3 





dbf98641 

84a64fb2 

31 

84a64fb2 





ca0093fd 

4ea6dc4f 

32 

4ea6dc4f 

a6dc4f4e 

2486842f 

80000000 

a486842f 

4e54f70e 

ead27321 

33 

ead27321 





5f5fc9f3 

b58dbad2 

34 

b58dbad2 





84a64fb2 

312bf560 

35 

312bf560 





4ea6dc4f 

7f8d292f 

36 

7f8d292f 

8d292f7f 

5da515d2 

lbOOOOOO 

46a515d2 

ead27321 

ac7766f3 

37 

ac7766f3 





b58dbad2 

19fadc21 

38 

19fadc21 





312bf560 

28dl2941 

39 

28dl2941 





7f8d292f 

575c006e 

40 

575c006e 

5c006e57 

4a639f5b 

36000000 

7c639f5b 

ac7766f3 

d014f9a8 

41 

d014f9a8 





19fadc21 

c9ee2589 

42 

c9ee2589 





28dl2941 

el3f0cc8 

43 

el3f0cc8 





575c006e 

b6630ca6 


A.2 Expansion of a 192-bit Cipher Key 

This section contains the key expansion of the following cipher key: 

Cipher Key = 8 e 73 bO f7 da Oe 64 52 c 8 10 f3 2b 

80 90 79 e5 62 f 8 ea d2 52 2c 6 b 7b 

for Nk = 6, which results in 

Wo=8e73bOf7 W\ = da0e6452 W2 = c810f32b W3 = 809079e5 

W 4 = 62f8ead2 W 5 = 522c6b7b 


i 

(dec) 

temp 

After 

RotWord() 

After 

SubWord() 

Rcon[i/Nk] 

After XOR 

with Rcon 

w[i-Nk] 

w[i] = 
temp XOR 
w [i-Nk] 

6 

522c6b7b 

2c6b7b52 

717f2100 

01000000 

707f2100 

8e73b0f7 

fe0c91f7 

7 

fe0c91f7 





da0e6452 

2402f5a5 

8 

2402f5a5 





c810f32b 

ec!2068e 


28 





9 

ecl2068e 





809079e5 

6c827f6b 

10 

6c827f6b 





62f8ead2 

0e7a95b9 

11 

0e7a95b9 





522c6b7b 

5c56fec2 

12 

5c56fec2 

56fec25c 

blbb254a 

02000000 

b3bb254a 

fe0c91f7 

4db7b4bd 

13 

4db7b4bd 





2402f5a5 

69b54118 

14 

69b54118 





ecl2068e 

85a74796 

15 

85a74796 





6c827f6b 

e92538fd 

16 

e92538fd 





0e7a95b9 

e75fad44 

17 

e75fad44 





5c56fec2 

bb095386 

18 

bb095386 

095386bb 

01ed44ea 

04000000 

05ed44ea 

4db7b4bd 

485af057 

19 

485af057 





69b54118 

21efbl4f 

20 

21efbl4f 





85a74796 

a448f6d9 

21 

a448f6d9 





e92538fd 

4d6dce24 

22 

4d6dce24 





e75fad44 

aa326360 

23 

aa326360 





bb095386 

113b30e6 

24 

113b30e6 

3b30e611 

e2048e82 

08000000 

ea048e82 

485af057 

a25e7ed5 

25 

a25e7ed5 





21efbl4f 

83blcf9a 

26 

83blcf9a 





a448f6d9 

27f93943 

27 

27f93943 





4d6dce24 

6a94f7 67 

28 

6a94f7 67 





aa326360 

c0a69407 

29 

c0a69407 





113b30e6 

dl9da4el 

30 

dl9da4el 

9da4eldl 

5e49f83e 

10000000 

4e49f83e 

a25e7ed5 

ecl786eb 

31 

ecl786eb 





83blcf9a 

6fa64971 

32 

6fa64971 





27f93943 

485f7032 

33 

485f7032 





6a94f7 67 

22cb8755 

34 

22cb8755 





c0a69407 

e26dl352 

35 

e26dl352 





dl9da4el 

33f0b7b3 

36 

33f0b7b3 

f0b7b333 

8ca96dc3 

20000000 

aca96dc3 

ecl786eb 

40beeb28 

37 

40beeb28 





6fa64971 

2fl8a259 

38 

2fl8a259 





485f7032 

6747d26b 

39 

6747d26b 





22cb8755 

458c553e 


458c553e 





e26dl352 

a7el466c 

41 

a7el466c 





33f0b7b3 

9411fldf 

42 

9411fldf 

Ilfldf94 

82al9e22 

40000000 

c2al9e22 

40beeb28 

821f750a 

43 

821f750a 





2fl8a259 

ad07d753 


29 



44 

ad07d753 





6747d26b 

ca400538 

45 

ca400538 





458c553e 

8fcc5006 

46 

8fcc5006 





a7el466c 

282dl66a 

47 

282dl66a 





9411fldf 

bc3ce7b5 

48 

bc3ce7b5 

3ce7b5bc 

eb94d565 

80000000 

6b94d565 

821f750a 

e98ba06f 

49 

e98ba06f 





ad07d753 

448c773c 

50 

448c773c 





ca400538 

8ecc7204 

51 

8ecc7204 





8fcc5006 

01002202 


A.3 Expansion of a 256-bit Cipher Key 

This section contains the key expansion of the following cipher key: 

Cipher Key = 60 3d eb 10 15 ca 71 be 2b 73 ae fO 85 7d 77 81 

If 35 2c 07 3b 61 08 d7 2d 98 10 a3 09 14 df f4 

for Nk = 8, which results in 

Wo = 603debl0 W\ = 15ca71be W 2 = 2b73aef0 W 3 = 857d7781 

W4 = If352c07 W 5 = 3b6108d7 W 6 = 2d9810a3 W 7 = 0914dff4 


i 

(dec) 

temp 

After 

RotWord() 

After 

SubWord() 

Rcon[i/Nk] 

After XOR 

with Rcon 

w[i-Nk] 

w[i] = 
temp XOR 
w [i-Nk] 

8 

0914dff4 

14dff409 

fa9ebf01 

01000000 

fb9ebf01 

603debl0 

9ba35411 

9 

9ba35411 





15ca71be 

8e6925af 

10 

8e6925af 





2b73aef0 

a51a8b5f 

11 

a51a8b5f 





857d7781 

2067fcde 

12 

2067fcde 


b785b01d 



If352c07 

a8b09cla 

13 

a8b09cla 





3b6108d7 

93dl94cd 

14 

93dl94cd 





2d9810a3 

be49846e 

15 

be49846e 





0914dff4 

b75d5b9a 

16 

b75d5b9a 

5d5b9ab7 

4c39b8a9 

02000000 

4e39b8a9 

9ba35411 

d59aecb8 

17 

d59aecb8 





8e6925af 

5bf3c917 

18 

5bf3c917 





a51a8b5f 

fee94248 

19 

fee94248 





2067fcde 

de8ebe96 

20 

de8ebe96 


Idl9ae90 



a8b09cla 

b5a9328a 

21 

b5a9328a 





93dl94cd 

2678a647 

22 

2678a647 





be49846e 

98312229 


30 






98312229 





b75d5b9a 

2f6c79b3 


2f6c79b3 

6c79b32f 

50b66dl5 

04000000 

54b66dl5 

d59aecb8 

812c81ad 


812c81ad 





5bf3c917 

dadf48ba 


dadf48ba 





fee94248 

24360af2 


24360af2 





de8ebe96 

fab8b464 


fab8b464 


2d6c8d43 



b5a9328a 

98c5bfc9 


98c5bfc9 





2678a647 

bebdl98e 


bebdl98e 





98312229 

268c3ba7 


268c3ba7 





2f6c79b3 

09e04214 


09e04214 

e0421409 

el2cfa01 

08000000 

e92cfa01 

812c81ad 

68007bac 


68007bac 





dadf48ba 

b2df3316 


b2df3316 





24360af2 

96e939e4 


96e939e4 





fab8b464 

6c518d80 


6c518d80 


50dl5dcd 



98c5bfc9 

c814e204 


c814e204 





bebdl98e 

7 6a9fb8a 


7 6a9fb8a 





268c3ba7 

5025c02d 


5025c02d 





09e04214 

59c58239 


59c58239 

C5823959 

a61312cb 

10000000 

b61312cb 

68007bac 

del36967 


del36967 





b2df3316 

6ccc5a71 


6ccc5a71 





96e939e4 

fa256395 


fa256395 





6c518d80 

9674eel5 


9674eel5 


90922859 



c814e204 

5886ca5d 


5886ca5d 





76a9fb8a 

2e2f31d7 


2e2f31d7 





5025c02d 

7e0aflfa 


7e0aflfa 





59c58239 

27cf73c3 


27cf73c3 

cf73c327 

8a8f2ecc 

20000000 

aa8f2ecc 

del36967 

749c47ab 

49 

749c47ab 





6ccc5a71 

18501dda 

50 

18501dda 





fa256395 

e2757e4f 

51 

e2757e4f 





9674eel5 

7401905a 

52 

7401905a 


927c60be 



5886ca5d 

cafaaae3 

53 

cafaaae3 





2e2f31d7 

e4d59b34 

54 

e4d5 9b34 





7e0aflfa 

9adf6ace 

55 

9adf6ace 





27cf73c3 

bdl0190d 

56 

bdl0190d 

10190dbd 

cad4d77a 

40000000 

8ad4d77a 

749c47ab 

fe4890dl 

57 

fe4890dl 





18501dda 

e6188d0b 
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Appendix B - Cipher Example 


The following diagram shows the values in the State array as the Cipher progresses for a block 
length and a Cipher Key length of 16 bytes each (i.e., Nb = 4 and Nk = 4). 

Input = 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 eO 37 07 34 

Cipher Key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 


The Round Key values are taken from the Key Expansion example in Appendix A. 


Round Start of 
Number Round 


After 

SubBytes 


After 
ShiftRows 


After 

MixColumns 


Round Key 
Value 


~32 

88 

31 

eO 

43 

5a 

31 

37 

f 6 

30 

98 

07 

a8 

8d 

a2 

^4 


"2b 

28 

ab 

09 

7e 

ae 

f 7 

cf 

15 

d2 

15 

4f 

T6“ 

a6 

88 

3c 


19 

aO 

9a 

e9 

3d 

f 4 

c6 

f 8 

e3 

e2 

8d 

48 

be 

2b 

2a 

08 


04 

eO 

48 

28 

66 

cb 

f 8 

06 

81 

19 

d3 

26 

e5 

9a 

7a 

4c 


aO 

88 

23 

2a 

fa 

54 

a3 

6c 

fe 

2c 

39 

76 

17 

bl 

39 

"05" 


~d4 

eO 

b8 

le 

27 

bf 

b4 

41 

11 

98 

5d 

52 

ae 

fl 

e5 

30 


d4 

eO 

b8 

le 

bf 

b4 

41 

27 

5d 

52 

11 

98 

30 

ae 

fl 

e5 


58 

lb 

db 

lb 

4d 

4b 

e7 

6b 

ca 

5a 

ca 

bO 

fl 

ac 

a8 

e5 


f2 

7a 

59 

73 

^c2" 

96 

35 

1>9 

”95“ 

b9 

80 

~f6 

f 2 

43 

7a 

~lf 


49 

45 

7f 

77 

db 

39 

02 

de 

~87“ 

53 

d2 

96 

3b 

89 

fl 

la 


49 

45 

7f 

77 

de 

db 

39 

“02" 

d2 

96 

87 

^53“ 

89 

fl 

la 

3b 


a4 

68 

6b 

02 

“9c“ 

9f 

5b 

6a 

~lf~ 

35 

ea 

50 

f 2 

2b 

43 

49 


75 

20 

53 

bb 

ec 

0b 

cO 

25 

09 

63 

cf 

dO 

“93" 

33 

7c 

dc 


ac 

ef 

13 

45 

cl 

b5 

23 

73 

d6 

5a 

cf 

11 

b8 

7b 

df 

b5 


ac 

ef 

13 

45 

73 

cl 

b5 

23 

cf 

11 

d6 

5a 

~fb 

df 

b5 

b8 


aa 

61 

82 

68 

00 

dd 

d2 

32 

5f 

e3 

4a 

46 

03 

ef 

d2 

9a 


3d 

47 

le 

6d 

80 

16 

23 

7a 

47 

fe 

7e 

88 

7d 

3e 

44 

3b 


48 

67 

4d 

d6 

6c 

Id 

e3 

5f 

4e 

9d 

bl 

58 

ee 

Od 

38 

e7 


Of 

60 

6f 

5e" 

d6 

31 

cO 

b3 

da 

38 

10 

13 

a9 

bf 

6b 

~01 


ef 

a8 

b6 

db 

44 

52 

71 

0b 

a5 

5b 

25 

ad 

41 

If 

3b 

00 


"52~ 

85 

e3 

f 6 

50 

a4 

11 

cf 

2f 

5e 

c8 

6a 

^28“ 

d7 

07 

94 


52 

85 

e3 

Te 

a4 

11 

cf 

50 

c8 

6a 

2f 

5e 

94 

28 

d7 

“07“ 


el 

e8 

35 

97 

4f 

fb 

c8 

6c 

d2 

fb 

96 

ae 

9b 

ba 

53 

7c 


25 

bd 

b6 

4c 

dl 

11 
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Appendix C - Example Vectors 

This appendix contains example vectors, including intermediate values - for all three AES key 
lengths (Nk = 4, 6, and 8), for the Cipher, Inverse Cipher, and Equivalent Inverse Cipher that are 
described in Sec. 5.1, 5.3, and 5.3.5, respectively. Additional examples may be found at [1] and 
[5], 

All vectors are in hexadecimal notation, with each pair of characters giving a byte value in which 
the left character of each pair provides the bit pattern for the 4 bit group containing the higher 
numbered bits using the notation explained in Sec. 3.2, while the right character provides the bit 
pattern for the lower-numbered bits. The array index for all bytes (groups of two hexadecimal 
digits) within these test vectors starts at zero and increases from left to right. 


Legend for CIPHER (ENCRYPT) (round number r = 0 to 10, 12 or 14): 


input: 

cipher input 

start: 

state at start of round[r] 

s_box: 

state after SubBytes() 

s_row: 

state after ShiftRows() 

m_col: 

state after MixColumns() 

k_sch: 

key schedule value for round[r] 

output: 

cipher output 


Legend for INVERSE CIPHER (DECRYPT) (round number r = 0 to 10, 12 or 14): 
iinput: inverse cipher input 
istart: state at start of round[r] 

is_box: state after InvSubBytes() 

is_row: state after InvShiftRows() 

ik_sch: key schedule value for round[r] 

ik_add: state after AddRoundKey() 

ioutput: inverse cipher output 


Legend for EQUIVALENT INVERSE CIPHER (DECRYPT) (round number r = 0 to 10, 12 

or 14) : 


iinput: 
istart: 
is_box: 
is_row: 
im_col: 
ik_sch: 
ioutput: 


inverse cipher input 
state at start of round[r] 
state after InvSubBytes() 
state after InvShiftRows() 
state after InvMixColumns() 
key schedule value for round[r] 
inverse cipher output 


C.1 AES-128 (Nk=4, Nr= 10) 

PLAINTEXT: 00112233445566778899aabbccddeeff 

KEY: 000102030405060708090a0b0c0d0e0f 

CIPHER (ENCRYPT): 
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round[ 0] 
round[ 0] 
round[ 1] 
round[ 1] 
round[ 1] 
round[ 1] 
round[ 1] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[10] 
round[10] 
round[10] 
round[10] 
round[10] 


. input 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. k_sch 
. output 


00112233445566778899aabbccddeeff 
000102030405060708090a0b0c0d0e0f 
00102030405060708090a0b0c0d0e0f0 
63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f72641557f5bc92f7be3b291db9f91a 
d6aa74fdd2af72fadaa678fId6ab76fe 
89d810e8855ace682dl843d8cbl28fe4 
a761ca9b97be8b45d8adla611fc97369 
a7bela6997ad739bd8c9ca451f618b61 
ff87968431d86a51645151fa773ad009 
b692cf0b643dbdfIbe9bc5006830b3fe 
4915598f55e5d7a0daca94falf0a63f7 
3b59cb73fcd90ee05774222dc067fb68 
3bd92268fc74fb7357 67cbe0c0590e2d 
4c9cle66f771f0762c3f868e534df256 
b6ff744ed2c2c9bf6c590cbf0469bf41 
fa636a2825b339c940668a3157244dl7 
2dfb02343f6dl2dd09337ec75b36e3f0 
2d6d7ef03f33e334093602dd5bfbl2c7 
6385b79ffc538df997be478e7547d691 
47f7f7bc95353e03f96c32bcfd058dfd 
247240236966b3fa6ed2753288425b6c 
36400926f9336d2d9fb59d23c42c3950 
36339d50f9b539269f2c092dc4406d23 
f4bcd45432e554d075fId6c51dd03b3c 
3caaa3e8a99f9deb50f3af57adf622aa 
c81677bc9b7ac93b25027992b0261996 
e847f56514dadde23f77b64fe7f7d490 
e8dab6901477d4653ff7f5e2e747dd4f 
9816ee7400f87f556b2c049c8e5ad036 
5e390f7df7a69296a7553dcl0aa31f6b 
c62fel09f75eedc3cc79395d84f9cf5d 
b415f8016858552e4bb6124c5f998a4c 
b458124c68b68a014b99f82e5f15554c 
c57elcl59a9bd286f05f4be098c63439 
14f9701ae35fe28c440adf4d4ea9c026 
dl876c0f79c4300ab45594add66ff41f 
3el75076b61c04678dfc2295f6a8bfcO 
3elc22c0b6fcbf768da85067f6170495 
baa03de7alf9b56ed5512cba5f414d23 
47438735a41c65b9e016baf4aebf7ad2 
fde3bad205e5d0d73547964eflfe37f1 
5411f4b56bd9700e96a0902falbb9aal 
54d990al6ba09ab596bbf40ealll702f 
e9f74eec023020f61bf2ccf2353c21c7 
549932dlf08557681093ed9cbe2c974e 
bd6e7c3df2b5779e0b61216e8bl0b689 
7a9f102789d5f50b2beffd9f3dca4ea7 
7ad5fda789ef4e272bcal00b3d9ff59f 
13111d7fe3944al7f307a78b4d2b30c5 
69c4e0d86a7b0430d8cdb78070b4c55a 


INVERSE CIPHER (DECRYPT): 

round[ 0].iinput 69c4e0d86a7b0430d8cdb78070b4c55a 
round[ 0].ik_sch 13111d7fe3944al7f307a78b4d2b30c5 
round[ 1].istart 7ad5fda789ef4e272bcal00b3d9ff59f 
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round[ 1] 
round[ 1] 
round[ 1] 
round[ 1] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[10] 
round[10] 
round[10] 
round[10] 
round[10] 


. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
.ioutput 


7a9f102789d5f50b2beffd9f3dca4ea7 
bd6e7c3df2b5779e0b61216e8bl0b689 
549932dlf08557681093ed9cbe2c974e 
e9f74eec023020f61bf2ccf2353c21c7 
54d990al6ba09ab596bbf40ealll702f 
5411f4b56bd9700e96a0902falbb9aal 
fde3bad205e5d0d73547964eflfe37f1 
47438735a41c65b9e016baf4aebf7ad2 
baa03de7alf9b56ed5512cba5f414d23 
3elc22c0b6fcbf768da85067f6170495 
3el75076b61c04678dfc2295f6a8bfcO 
dl876c0f79c4300ab45594add66ff41f 
14f9701ae35fe28c440adf4d4ea9c026 
c57elcl59a9bd286f05f4be098c63439 
b458124c68b68a014b99f82e5f15554c 
b415f8016858552e4bb6124c5f998a4c 
c62fel09f75eedc3cc79395d84f9cf5d 
5e390f7df7a69296a7553dcl0aa31f6b 
9816ee7400f87f556b2c049c8e5ad036 
e8dab6901477d4653ff7f5e2e747dd4f 
e847f56514dadde23f77b64fe7f7d490 
c81677bc9b7ac93b25027992b0261996 
3caaa3e8a99f9deb50f3af57adf622aa 
f4bcd45432e554d075fId6c51dd03b3c 
36339d50f9b539269f2c092dc4406d23 
36400926f9336d2d9fb59d23c42c3950 
247240236966b3fa6ed2753288425b6c 
47f7f7bc95353e03f96c32bcfd058dfd 
6385b79ffc538df997be478e7547d691 
2d6d7ef03f33e334093602dd5bfbl2c7 
2dfb02343f6dl2dd09337ec75b36e3f0 
fa636a2825b339c940668a3157244dl7 
b6ff744ed2c2c9bf6c590cbf0469bf41 
4c9cle66f771f0762c3f868e534df256 
3bd92268fc74fb735767cbe0c0590e2d 
3b59cb73fcd90ee05774222dc067fb68 
4915598f55e5d7a0daca94falf0a63f7 
b692cf0b643dbdfIbe9bc5006830b3fe 
ff87968431d86a51645151fa773ad009 
a7bela6997ad739bd8c9ca451f618b61 
a761ca9b97be8b45d8adla611fc97369 
89d810e8855ace682dl843d8cbl28fe4 
d6aa74fdd2af72fadaa678fId6ab76fe 
5f72641557f5bc92f7be3b291db9f91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
00102030405060708090a0b0c0d0e0f0 
000102030405060708090a0b0c0d0e0f 
00112233445566778899aabbccddeeff 


EQUIVALENT INVERSE CIPHER (DECRYPT): 
round[ 0].iinput 69c4e0d86a7b0430d8cdb78070b4c55a 

round[ 0].ik_sch 13111d7fe3944al7f307a78b4d2b30c5 

round[ 1].istart 7ad5fda789ef4e272bcal00b3d9ff59f 

round[ l].is_box bdb52189f261b63d0bl07c9e8b6e776e 

round[ 1].is_row bd6e7c3df2b5779e0b61216e8bl0b689 

round[ l].im_col 4773b91ff72f354361cb018eale6cf2c 
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round[ 1].ik_sch 13aa29be9c8faff6f770f58000f7bf03 
round[ 2].istart 54d990al6ba09ab596bbf40ealll702f 
round[ 2].is_box fde596f1054737d235febad7fIe3d04e 
round[ 2].is_row fde3bad205e5d0d73547964eflfe37f1 
round[ 2].im_col 2d7e86a339d9393ee6570all01904el6 
round[ 2].ik_sch 1362a4638f2586486bff5a76f7874a83 
round[ 3].istart 3elc22c0b6fcbf768da85067f6170495 
round[ 3].is_box dlc4941f7955f40fb46f6c0ad68730ad 
round[ 3].is_row dl876c0f79c4300ab45594add66ff41f 
round[ 3].im_col 39daee38f4fla82aaf432410c36d45b9 
round[ 3].ik_sch 8d82fc749c47222be4dadc3e9c7810f5 
round[ 4].istart b458124c68b68a014b99f82e5f15554c 
round[ 4].is_box c65e395df779cf09ccf9elc3842fed5d 
round[ 4].is_row c62fel09f75eedc3cc79395d84f9cf5d 
round[ 4].im_col 9a39bfId05b20a3a476a0bf79fe51184 
round[ 4].ik_sch 72e3098dllc5de5f789dfel578a2cccb 
round[ 5].istart e8dab6901477d4653ff7f5e2e747dd4f 
round[ 5].is_box c87a79969b0219bc2526773bb016c992 
round[ 5].is_row c81677bc9b7ac93b25027992b0261996 
round[ 5].im_col 18f78d779a93eef4f6742967c47f5ffd 
round[ 5].ik_sch 2ec410276326d7d26958204a003f32de 
round[ 6].istart 36339d50f9b539269f2c092dc4406d23 
round[ 6].is_box 2466756c69d25b236e4240fa8872b332 
round[ 6].is_row 247240236966b3fa6ed2753288425b6c 
round[ 6].im_col 85cf8bf472dl24cl0348f545329c0053 
round[ 6].ik_sch a8a2f5044de2c7f50a7ef79869671294 
round[ 7].istart 2d6d7ef03f33e334093602dd5bfbl2c7 
round[ 7].is_box fab38al725664d2840246ac957633931 
round[ 7].is_row fa636a2825b339c940668a3157244dl7 
round[ 7].im_col felfelf91934c98210fbfb8da340eb21 
round[ 7].ik_sch c7c6e391e54032f1479c306d6319e50c 
round[ 8].istart 3bd92268fc74fb735767cbe0c0590e2d 
round[ 8].is_box 49e594f755ca638fda0a59a01f15d7fa 
round[ 8].is_row 4915598f55e5d7a0daca94falf0a63f7 
round[ 8].im_col 076518f0b52ba2fb7al5c8d93be45e00 
round[ 8].ik_sch a0db02992286dl60a2dc029c2485d561 
round[ 9].istart a7bela6997ad739bd8c9ca451f618b61 
round[ 9].is_box 895a43e485188fe82dl21068cbd8ced8 
round[ 9].is_row 89d810e8855ace682dl843d8cbl28fe4 
round[ 9].im_col ef053f7c8b3d32fd4d2a64ad3c93071a 
round[ 9].ik_sch 8c56dff0825dd3f9805ad3fc8659d7fd 
round[10].istart 6353e08c0960el04cd70b751bacad0e7 
round[10].is_box 0050a0f04090e03080d02070c01060b0 
round[10].is_row 00102030405060708090a0b0c0d0e0f0 
round[10].ik_sch 000102030405060708090a0b0c0d0e0f 
round[10].ioutput 00112233445566778899aabbccddeeff 


C.2 AES-192 (Nk=6, Nr= 12) 

PLAINTEXT: 00112233445566778899aabbccddeeff 

KEY: 000102030405060708090a0b0c0d0e0f1011121314151617 

CIPHER (ENCRYPT): 

round[ 0].input 00112233445566778899aabbccddeeff 

round[ 0].k_sch 000102030405060708090a0b0c0d0e0f 

round[ 1].start 00102030405060708090a0b0c0d0e0f0 
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round[ 1] 
round[ 1] 
round[ 1] 
round[ 1] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 2] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 3] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[10] 
round[10] 
round[10] 
round[10] 
round[10] 
round[11] 
round[11] 
round[11] 
round[11] 
round[11] 
round[12] 
round[12] 
round[12] 


. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 


63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f72641557f5bc92f7be3b291db9f91a 
10111213141516175846f2f95c43f4fe 
4f63760643e0aa85aff8c9d041fa0de4 
84fb386flaelac977941dd70832dd769 
84eldd691a41d76f792d389783fbac70 
9f487f794f955f662afc86abd7flab29 
544afef55847f0fa4856e2e95c43f4fe 
cb02818cl7d2af9c62aa64428bb25fd7 
If770c64f0b579deaaac432c3d37cfOe 
lfb5430efOaccf64aa370cde3d77792c 
b7a53ecbbf9d75a0c40efc79b674ccll 
40f949b31cbabd4d48f043b810b7b342 
f75c7778a327c8ed8cfebfcla6c37f53 
684af5bc0acce85564bb0878242ed2ed 
68cc08ed0abbd2bc642ef555244ae878 
7ale98bdacb6dll41a6944dd06eb2d3e 
58el51ab04a2a5557effb5416245080c 
22ffc916a81474416496f19c64ae2532 
9316dd47c2fa92834390alde43e43f23 
93faal23c2903f4743e4dd83431692de 
aaa755b34cffe57cef6f98elf01cl3e6 
2ab54bb43a02f8f662e3a95d66410c08 
80121e0776fdld8a8d8c31bc965dlfee 
cdc972c53854a47e5d64c7 65904cc028 
cd54c7283864c0c55d4c727e90c9a465 
921f748fd96e937d622d7725ba8ba50c 
f501857297448d7ebdflc6ca87f33e3c 
671eflfd4e2ale03dfdcblef3d789b30 
8572al542fe5727b9e86c8df27bcl404 
85e5c8042f8614549ebcal7b277272df 
e913e7bl8f507d4b227ef652758acbcc 
e510976183519b6934157c9ea351fleO 
0c0370d00c01e622166b8accd6db3a2c 
fe7b5170fe7c8e93477f7e4bf6b98071 
fe7c7e71fe7f807047b95193f67b8e4b 
6cf5edf996eb0a069c4ef21cbfc257 62 
Iea0372a995309167c439e77ff12051e 
7255dad30fb80310e00d6c6b40d0527c 
40fc5766766c7bcaeld7507f09700010 
406c501076d70066el7057ca09fc7b7f 
7478bcdce8a50b81d4327a9009188262 
dd7e0e887e2fff68608fc842f9dccl54 
a906b254968af4e9b4bdb2d2f0c44336 
d36f3720907ebfIe8d7a37b58clcla05 
d37e3705907ala208dlc371e8c6fbfb5 
0d73cc2d8f6abe8b0cf2dd9bb83d422e 
859f5f237a8d5a3dc0c02952beefd63a 
88ec930ef5e7e4b6cc32f4c906d29414 
c4cedcabe694694e4b23bfdd6fb522fa 
C494bffae62322ab4bb5dc4e6fce69dd 
71d720933b6d677dc00b8f28238e0fb7 
de601e7827bcdf2ca223800fd8aeda32 
afb73eeblcdlb85162280f27fb20d585 
79a9b2e99c3e6cdlaa3476cc0fb70397 
793e76979c3403e9aab7b2dl0fa96ccc 
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round[12].k_sch a4970a331a78dc09c418c271e3a41d5d 
round[12].output dda97ca4864cdfe06eaf70a0ec0d7191 

INVERSE CIPHER (DECRYPT): 

round[ 0].iinput dda97ca4864cdfe06eaf70a0ec0d7191 

round[ 0].ik_sch a4970a331a78dc09c418c271e3a41d5d 

round[ 1].istart 793e76979c3403e9aab7b2dl0fa96ccc 

round[ 1].is_row 79a9b2e99c3e6cdlaa3476cc0fb70397 

round[ l].is_box afb73eeblcdlb85162280f27fb20d585 

round[ l].ik_sch de601e7827bcdf2ca223800fd8aeda32 

round[ 1].ik_add 71d720933b6d677dc00b8f28238e0fb7 

round[ 2].istart c494bffae62322ab4bb5dc4e6fce69dd 

round[ 2].is_row c4cedcabe694694e4b23bfdd6fb522fa 

round[ 2].is_box 88ec930ef5e7e4b6cc32f4c906d29414 

round[ 2].ik_sch 859f5f237a8d5a3dc0c02952beefd63a 

round[ 2].ik_add 0d73cc2d8f6abe8b0cf2dd9bb83d422e 

round[ 3].istart d37e3705907ala208dlc371e8c6fbfb5 

round[ 3].is_row d36f3720907ebfIe8d7a37b58clcla05 

round[ 3].is_box a906b254968af4e9b4bdb2d2f0c44336 

round[ 3].ik_sch dd7e0e887e2fff68608fc842f9dccl54 

round[ 3].ik_add 7478bcdce8a50b81d4327a9009188262 

round[ 4].istart 406c501076d70066el7057ca09fc7b7f 

round[ 4].is_row 40fc5766766c7bcaeld7507f09700010 

round[ 4].is_box 7255dad30fb80310e00d6c6b40d0527c 

round[ 4].ik_sch Iea0372a995309167c439e77ff12051e 

round[ 4].ik_add 6cf5edf996eb0a069c4ef21cbfc25762 

round[ 5].istart fe7c7e71fe7f807047b95193f67b8e4b 

round[ 5].is_row fe7b5170fe7c8e93477f7e4bf6b98071 

round[ 5].is_box 0c0370d00c01e622166b8accd6db3a2c 

round[ 5].ik_sch e510976183519b6934157c9ea351fleO 

round[ 5].ik_add e913e7bl8f507d4b227ef652758acbcc 

round[ 6].istart 85e5c8042f8614549ebcal7b277272df 

round[ 6].is_row 8572al542fe5727b9e86c8df27bcl404 

round[ 6].is_box 671efIfd4e2ale03dfdcblef3d789b30 

round[ 6].ik_sch f501857297448d7ebdfIc6ca87f33e3c 

round[ 6].ik_add 921f748fd96e937d622d7725ba8ba50c 

round[ 7].istart cd54c7283864c0c55d4c727e90c9a465 

round[ 7].is_row cdc972c53854a47e5d64c765904cc028 

round[ 7].is_box 80121e0776fdld8a8d8c31bc965dlfee 

round[ 7].ik_sch 2ab54bb43a02f8f662e3a95d66410c08 

round[ 7].ik_add aaa755b34cffe57cef6f98elf01cl3e6 

round[ 8].istart 93faal23c2903f4743e4dd83431692de 

round[ 8].is_row 9316dd47c2fa92834390alde43e43f23 

round[ 8].is_box 22ffc916a81474416496f19c64ae2532 

round[ 8].ik_sch 58el51ab04a2a5557effb5416245080c 

round[ 8].ik_add 7ale98bdacb6dll41a6944dd06eb2d3e 

round[ 9].istart 68cc08ed0abbd2bc642ef555244ae878 

round[ 9].is_row 684af5bc0acce85564bb0878242ed2ed 

round[ 9].is_box f75c7778a327c8ed8cfebfcla6c37f53 

round[ 9].ik_sch 40f949b31cbabd4d48f043b810b7b342 

round[ 9].ik_add b7a53ecbbf9d75a0c40efc79b674ccll 

round[10].istart lfb5430efOaccf64aa370cde3d77792c 
round[10].is_row If770c64f0b579deaaac432c3d37cfOe 
round[10].is_box cb02818cl7d2af9c62aa64428bb25fd7 
round[10].ik_sch 544afef55847f0fa4856e2e95c43f4fe 
round[10].ik_add 9f487f794f955f662afc86abd7flab29 
round[11].istart 84eldd691a41d76f792d389783fbac70 
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round[11].is_row 
round[11].is_box 
round[11].ik_sch 
round[11].ik_add 
round[12].istart 
round[12].is_row 
round[12].is_box 
round[12].ik_sch 
round[12].ioutput 


84fb386flaelac977941dd70832dd769 
4f63760643e0aa85aff8c9d041fa0de4 
10111213141516175846f2f95c43f4fe 
5f72641557f5bc92f7be3b291db9f91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
00102030405060708090a0b0c0d0e0f0 
000102030405060708090a0b0c0d0e0f 
00112233445566778899aabbccddeeff 


EQUIVALENT 
round[ 0]. 
round[ 0]. 
round[ 1]. 
round[ 1]. 
round[ 1]. 
round[ 1]. 
round[ 1]. 
round[ 2]. 
round[ 2]. 
round[ 2]. 
round[ 2]. 
round[ 2]. 
round[ 3]. 
round[ 3]. 
round[ 3]. 
round[ 3]. 
round[ 3]. 
round[ 4]. 
round[ 4]. 
round[ 4]. 
round[ 4]. 
round[ 4]. 
round[ 5]. 
round[ 5]. 
round[ 5]. 
round[ 5]. 
round[ 5]. 
round[ 6]. 
round[ 6]. 
round[ 6]. 
round[ 6]. 
round[ 6]. 
round[ 7]. 
round[ 7]. 
round[ 7]. 
round[ 7]. 
round[ 7]. 
round[ 8]. 
round[ 8]. 
round[ 8]. 
round[ 8]. 
round[ 8]. 
round[ 9]. 
round[ 9]. 
round[ 9]. 
round[ 9]. 


INVERSE 
iinput 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im_col 
ik_sch 
istart 
is_box 
is_row 
im col 


CIPHER (DECRYPT): 
dda97ca4864cdfe06eaf70a0ec0d7191 
a4970a331a78dc09c418c271e3a41d5d 
793e76979c3403e9aab7b2dl0fa96ccc 
afdlOf851c28d5eb62203e51fbb7b827 
afb73eeblcdlb85162280f27fb20d585 
122a02f7242ac8e20605afce51cc7264 
d6bebd0dc209ea494db073803e021bb9 
C494bffae62322ab4bb5dc4e6fce69dd 
88e7f414f532940eccd293b606ece4c9 
88ec930ef5e7e4b6cc32f4c906d29414 
5cc7aecce3c872194ae5ef8309a933c7 
8fb999c973b26839c7f9d89d85c68c72 
d37e3705907ala208dlc371e8c6fbfb5 
a98ab23696bd4354b4c4b2e9f006f4d2 
a906b254968af4e9b4bdb2d2f0c44336 
b7113edl34e85489b20866b51d4b2c3b 
f77d6ecl423f54ef5378317f14b75744 
406c501076d70066el7057ca09fc7b7f 
72b86c7c0f0d52d3e0d0dal04055036b 
7255dad30fb80310e00d6c6b40d0527c 
ef3blbelb9b0e64bdcb79fIe0a707fbb 
1147659047cf663b9b0ece8dfcObfIf0 
fe7c7e71fe7f807047b95193f67b8e4b 
0c018a2c0c6b3ad016db7022d603e6cc 
0c0370d00c01e622166b8accd6db3a2c 
592460b248832b2952e0b831923048f1 
dccla8b667053f7dcc5cl94ab5423a2e 
85e5c8042f8614549ebcal7b277272df 
672abl304edc9bfddf78f1033dleleef 
671eflfd4e2ale03dfdcblef3d789b30 
0b8a7783417ae3alf9492dc0c641a7ce 
c6deb0ab791e2364a4055fbe568803ab 
cd54c7283864c0c55d4c727e90c9a465 
80fd31ee768clf078d5dle8a96121dbc 
80121e0776fdld8a8d8c31bc965dlfee 
4eelddf9301d6352c9ad769ef8d20515 
ddlb7cdaf28d5cl58a49abldbbc497cb 
93faal23c2903f4743e4dd83431692de 
2214f132a896251664aec94164ff749c 
22ffc916a81474416496f19c64ae2532 
1008ffe53b36ee6af27b42549b8a7bb7 
78c4f708318d3cd69655b701bfc093cf 
68cc08ed0abbd2bc642ef555244ae878 
f727bf53a3fe7f788cc377eda65cc8cl 
f75c7778a327c8ed8cfebfcla6c37f53 
7f69acled939ebaac8ece3cbl2el59e3 


41 



round[ 9 
round[10 
round[10 
round[10 
round[10 
round[10 
round[11 
round[11 
round[11 
round[11 
round[11 
round[12 
round[12 
round[12 
round[12 
round[12 


. ik_sch 
. istart 
. is_box 
. is_row 
. im_col 
. ik_sch 
. istart 
. is_box 
. is_row 
. im_col 
. ik_sch 
. istart 
. is_box 
. is_row 
. ik_sch 
.ioutput 


60dcef10299524ce62dbef152f9620cf 
lfb5430efOaccf64aa370cde3d77792c 
cbd264d717aa5f8c62b2819c8b02af42 
cb02818cl7d2af9c62aa64428bb25fd7 
cfaf16b2570cl8b52e7fef50cab267ae 
4b4ecbdb4d4dcfda5752d7c74949cbde 
84eldd691a41d7 6f792d389783fbac70 
4fe0c9e443f80d06affa76854163aad0 
4f63760643e0aa85aff8c9d041fa0de4 
794cf891177bfdld8a327086f3831b39 
lalf181dlelblcl94742c7d74949cbde 
6353e08c0960el04cd70b751bacad0e7 
0050a0f04090e03080d02070c01060b0 
00102030405060708090a0b0c0d0e0f0 
000102030405060708090a0b0c0d0e0f 
00112233445566778899aabbccddeeff 


C.3 AES-256 (Aft=8, Nr=14) 

PLAINTEXT : 00112233445566778899aabbccddeeff 

KEY: 000102030405060708090a0b0c0d0e0f101112131415161718191alblcldlelf 


CIPHER 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 
round[ 


(ENCRYPT): 
0].input 
0].k_sch 
1].start 
1]•s_box 
1].s_row 
1].m_col 

1] .k_sch 

2] .start 
2].s_box 
2].s_row 
2].m_col 

2] .k_sch 

3] .start 
3].s_box 
3].s_row 
3].m_col 

3] .k_sch 

4] .start 
4].s_box 
4].s_row 
4].m_col 

4] .k_sch 

5] .start 
5].s_box 
5].s_row 
5].m_col 

5] .k_sch 

6] .start 
6].s_box 
6].s_row 
6].m_col 

6] .k_sch 

7] .start 
7].s_box 


00112233445566778899aabbccddeeff 
000102030405060708090a0b0c0d0e0f 
00102030405060708090a0b0c0d0e0f0 
63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f72641557f5bc92f7be3b291db9f91a 
101112131415161718191alblcldlelf 
4f63760643e0aa85efa7213201a4e705 
84fb386flaelac97df5cfd237c49946b 
84elfd6bla5c946fdf4938977cfbac23 
bd2a395d2b6ac438dl92443e615dal95 
a573c29fal76c498a97fce93a572c09c 
1859fbc28alc00a078ed8aadc42f6109 
adcbOf257e9c63e0bc557e951cl5ef01 
ad9c7e017e55ef25bcl50fe01ccb6395 
810dce0cc9db8172b3678cle88alb5bd 
1651a8cd0244bedala5da4cl0640bade 
975c66clcb9f3fa8a93a28df8eel0f63 
884a33781fdb75c2d380349el9f876fb 
88db34fblf807678d3f833c2194a759e 
b2822d81abe6fb275faf103a078c0033 
ae87dffOOffIlb68a68ed5fb03fcl567 
lc05f271a417e04ff921c5cl04701554 
9c6b89a349fOel8499fda678f2515920 
9cf0a62049fd59a399518984f26bel78 
aeb65ba974e0f822d73f567bdb64c877 
6delf1486fa54f9275f8eb5373b8518d 
c357aaellb45b7b0a2c7bd28a8dc99fa 
2e5bacf8af6ea9e73ac67a34c286ee2d 
2e6e7a2dafc6eef83a86ace7c25ba934 
b951c33c02e9bd29ae25cdblefa08cc7 
c656827fc9a799176f294cec6cd5598b 
7f074143cb4e243ecl0c815d8375d54c 
d2c5831alf2f36b278fe0c4cec9d0329 
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round[ 7] 
round[ 7] 
round[ 7] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[10] 
round[10] 
round[10] 
round[10] 
round[10] 
round[11] 
round[11] 
round[11] 
round[11] 
round[11] 
round[12] 
round[12] 
round[12] 
round[12] 
round[12] 
round[13] 
round[13] 
round[13] 
round[13] 
round[13] 
round[14] 
round[14] 
round[14] 
round[14] 
round[14] 


. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. m_col 
. k_sch 
. start 
. s_box 
. s_row 
. k_sch 
. output 


d22f0c291ffe031a789d83b2ecc5364c 
ebbl9elc3ee7c9e87d7535e9ed6b9144 
3de23a75524775e727bf9eb45407cf39 
d653a4696ca0bc0f5acaab5db96c5e7d 
f6ed49f950e0657 6be74624c565058ff 
f6e062ff507458f9be50497 656ed654c 
5174c8669da98435a8b3e62ca974a5ea 
0bdc905fc27b0948ad5245a4cl871c2f 
5aa858395fd28d7d05ela38868f3b9c5 
bec26al2cfb55dff6bf80ac4450d56a6 
beb50aa6cff856126b0d6aff45c25dc4 
Of77ee31d2ccadc05430a83f4ef96ac3 
45f5a66017b2d387300d4d33640a820a 
4a824851c57e7e47643de50c2af3e8c9 
d61352dla6f3f3a04327d9fee50d9bdd 
d6f3d9dda6279bdl430d52a0e513f3fe 
bd86f0ea748fc4f4630fllcle9331233 
7ccff71cbeb4fe5413e6bbf0d261a7df 
cl4907f6ca3b3aa070e9aa313b52b5ec 
783bc54274e280e0511eacc7e200d5ce 
78e2acce741ed5425100c5e0e23b80c7 
af8690415d6eldd387e5fbedd5c89013 
f01afafee7a82979d7a5644ab3afe640 
5f9c6abfbac634aa50409fa766677653 
cfde0208f4b418ac5309db5c338538ed 
cfb4dbedf4093808538502ac33del85c 
7427fae4d8a695269ce83d315be0392b 
2541fe719bf500258813bbd55a721c0a 
516604954353950314fb86e401922521 
dl33f22alaed2a7bfa0f44697c4f3ffd 
dled44fdla0f3f2afa4ff27b7c332a69 
2c21a820306f154ab712c75eee0da04f 
4e5a6699a9f24fe07e572baacdf8cdea 
627bceb9999d5aaac945ecf423f56da5 
aa218b56ee5ebeacdd6ecebf26e63c06 
aa5ece06ee6e3c56dde68bac2621bebf 
24fc79ccbf0979e9371ac23c6d68de36 
8ea2b7ca516745bfeafc49904b496089 


INVERSE CIPHER (DECRYPT): 

round[ 0].iinput 8ea2b7ca516745bfeafc49904b496089 
round[ 0].ik_sch 24fc79ccbf0979e9371ac23c6d68de36 
round[ l].istart aa5ece06ee6e3c56dde68bac2621bebf 
round[ 1].is_row aa218b56ee5ebeacdd6ecebf26e63c06 
round[ 1].is_box 627bceb9999d5aaac945ecf423f56da5 
round[ 1].ik_sch 4e5a6699a9f24fe07e572baacdf8cdea 
round[ 1].ik_add 2c21a820306f154ab712c75eee0da04f 
round[ 2].istart dled44fdla0f3f2afa4ff27b7c332a69 
round[ 2].is_row dl33f22alaed2a7bfa0f44697c4f3ffd 
round[ 2].is_box 516604954353950314fb86e401922521 
round[ 2].ik_sch 2541fe719bf500258813bbd55a721c0a 
round[ 2].ik_add 7427fae4d8a695269ce83d315be0392b 
round[ 3].istart cfb4dbedf4093808538502ac33del85c 
round[ 3].is_row cfde0208f4b418ac5309db5c338538ed 
round[ 3].is_box 5f9c6abfbac634aa50409fa766677653 
round[ 3].ik_sch f01afafee7a82979d7a5644ab3afe640 
round[ 3].ik_add af8690415d6eldd387e5fbedd5c89013 
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round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 4] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 5] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 6] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 7] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 8] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[ 9] 
round[10] 
round[10] 
round[10] 
round[10] 
round[10] 
round[11] 
round[11] 
round[11] 
round[11] 
round[11] 
round[12] 
round[12] 
round[12] 
round[12] 
round[12] 
round[13] 
round[13] 
round[13] 
round[13] 
round[13] 
round[14] 
round[14] 
round[14] 
round[14] 
round[14] 


. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
. ik_add 
. istart 
. is_row 
. is_box 
. ik_sch 
.ioutput 


78e2acce741ed5425100c5e0e23b80c7 
783bc54274e280e0511eacc7e200d5ce 
cl4907f6ca3b3aa070e9aa313b52b5ec 
7ccff71cbeb4fe5413e6bbf0d261a7df 
bd86f0ea748fc4f4630fllcle9331233 
d6f3d9dda6279bdl430d52a0e513f3fe 
d61352dla6f3f3a04327d9fee50d9bdd 
4a824851c57e7e47643de50c2af3e8c9 
45f5a66017b2d387300d4d33640a820a 
Of77ee31d2ccadc05430a83f4ef96ac3 
beb50aa6cff856126b0d6aff45c25dc4 
bec26al2cfb55dff6bf80ac4450d56a6 
5aa858395fd28d7d05ela38868f3b9c5 
0bdc905fc27b0948ad5245a4cl871c2f 
5174c8669da98435a8b3e62ca974a5ea 
f6e062ff507458f9be50497 656ed654c 
f6ed49f950e0657 6be74624c565058ff 
d653a4696ca0bc0f5acaab5db96c5e7d 
3de23a75524775e727bf9eb45407cf39 
ebbl9elc3ee7c9e87d7535e9ed6b9144 
d22f0c291ffe031a789d83b2ecc5364c 
d2c5831alf2f36b278fe0c4cec9d0329 
7f074143cb4e243ecl0c815d8375d54c 
c656827fc9a799176f294cec6cd5598b 
b951c33c02e9bd29ae25cdblefa08cc7 
2e6e7a2dafc6eef83a86ace7c25ba934 
2e5bacf8af6ea9e73ac67a34c286ee2d 
c357aaellb45b7b0a2c7bd28a8dc99fa 
6delf1486fa54f9275f8eb5373b8518d 
aeb65ba974e0f822d73f567bdb64c877 
9cf0a62049fd59a399518984f26bel78 
9c6b89a349fOel8499fda678f2515920 
lc05f271a417e04ff921c5cl04701554 
ae87dffOOffIlb68a68ed5fb03fcl567 
b2822d81abe6fb275faf103a078c0033 
88db34fblf807678d3f833c2194a759e 
884a33781fdb75c2d380349el9f876fb 
975c66clcb9f3fa8a93a28df8eel0f63 
1651a8cd0244bedala5da4cl0640bade 
810dce0cc9db8172b3678cle88alb5bd 
ad9c7e017e55ef25bcl50fe01ccb6395 
adcbOf257e9c63e0bc557e951cl5ef01 
1859fbc28alc00a078ed8aadc42f6109 
a573c29fal76c498a97fce93a572c09c 
bd2a395d2b6ac438dl92443e615dal95 
84elfd6bla5c946fdf4938977cfbac23 
84fb386flaelac97df5cfd237c49946b 
4f63760643e0aa85efa7213201a4e705 
101112131415161718191alblcldlelf 
5f72641557f5bc92f7be3b291db9f91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
00102030405060708090a0b0c0d0e0f0 
000102030405060708090a0b0c0d0e0f 
00112233445566778899aabbccddeeff 


EQUIVALENT INVERSE CIPHER (DECRYPT): 
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round[ 0].iinput 8ea2b7ca516745bfeafc49904b496089 
round[ 0].ik_sch 24fc79ccbf0979e9371ac23c6d68de36 
round[ 1].istart aa5ece06ee6e3c56dde68bac2621bebf 
round[ l].is_box 629deca599456db9c9f5ceaa237b5af4 
round[ l].is_row 627bceb9999d5aaac945ecf423f56da5 
round[ l].im_col e51c9502a5cl950506a61024596b2b07 
round[ 1].ik_sch 34fldlffbfceaa2ffce9e25f2558016e 
round[ 2].istart dled44fdla0f3f2afa4ff27b7c332a69 
round[ 2].is_box 5153862143fb259514920403016695e4 
round[ 2].is_row 516604954353950314fb86e401922521 
round[ 2].im_col 91a29306cc450d0226f4b5eaef5efed8 
round[ 2].ik_sch 5el648eb384c350a7571b746dc80e684 
round[ 3].istart cfb4dbedf4093808538502ac33del85c 
round[ 3].is_box 5fc69f53ba4076bf50676aaa669c34a7 
round[ 3].is_row 5f9c6abfbac634aa50409fa766677653 
round[ 3].im_col b041a94eff21ae9212278d903b8a63f6 
round[ 3].ik_sch c8a305808b3f7bd043274870d9ble331 
round[ 4].istart 78e2acce741ed5425100c5e0e23b80c7 
round[ 4].is_box cl3baaeccae9b5f6705207a03b493a31 
round[ 4].is_row cl4907f6ca3b3aa070e9aa313b52b5ec 
round[ 4].im_col 638357cec07de6300e30d0ec4ce2a23c 
round[ 4].ik_sch b5708el3665a7del4d3d824ca9f151c2 
round[ 5].istart d6f3d9dda6279bdl430d52a0e513f3fe 
round[ 5].is_box 4a7ee5c9c53de85164f348472a827e0c 
round[ 5].is_row 4a824851c57e7e47643de50c2af3e8c9 
round[ 5].im_col ca6f71058c642842a315595fdf54f685 
round[ 5].ik_sch 74da7ba3439c7e50c81833a09a96ab41 
round[ 6].istart beb50aa6cff856126b0d6aff45c25dc4 
round[ 6].is_box 5ad2a3c55felb93905f3587d68a88d88 
round[ 6].is_row 5aa858395fd28d7d05ela38868f3b9c5 
round[ 6].im_col ca46f5ea835eab0b9537b6dbb221b6c2 
round[ 6].ik_sch 3ca69715d32af3f22b67ffade4ccd38e 
round[ 7].istart f6e062ff507458f9be50497656ed654c 
round[ 7].is_box d6a0ab7d6cca5e695a6ca40fb953bc5d 
round[ 7].is_row d653a4696ca0bc0f5acaab5db96c5e7d 
round[ 7].im_col 2a70c8da28b806e9f319ce42be4baead 
round[ 7].ik_sch f85fc4f3374605f38b844df0528e98el 
round[ 8].istart d22f0c291ffe031a789d83b2ecc5364c 
round[ 8].is_box 7f4e814ccb0cd543cl75413e8307245d 
round[ 8].is_row 7f074143cb4e243ecl0c815d8375d54c 
round[ 8].im_col f0073ab7404a8alfc2cba0b80df08517 
round[ 8].ik_sch de69409aef8c64e7f84d0c5fcfab2c23 
round[ 9].istart 2e6e7a2dafc6eef83a86ace7c25ba934 
round[ 9].is_box c345bdfalbc799ela2dcaab0a857b728 
round[ 9].is_row c357aaellb45b7b0a2c7bd28a8dc99fa 
round[ 9].im_col 3225fe3686e498a32593cl872b613469 
round[ 9].ik_sch aed55816cf19cl00bcc24803d90ad511 
round[10].istart 9cf0a62049fd59a399518984f26bel78 
round[10].is_box Icl7c554a4211571f970f24f0405e0cl 
round[10].is_row lc05f271a417e04ff921c5cl04701554 
round[10].im_col 9dld5c462e655205c4395b7a2eac55e2 
round[10].ik_sch 15c668bd31e5247dl7cl68b837e6207c 
round[11].istart 88db34fblf807678d3f833c2194a759e 
round[ll].is_box 979f2863cb3a0fcla9el66a88e5c3fdf 
round[ll].is_row 975c66clcb9f3fa8a93a28df8eel0f63 
round[11].im_col d24bfb0elf997633cfce86e37903fe87 
round[11].ik_sch 7fd7850f61cc991673db890365c89dl2 
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round[12].istart ad9c7e017e55ef25bcl50fe01ccb6395 
round[12].is_box 181c8a098aed61c2782ffba0c45900ad 
round[12].is_row 1859fbc28alc00a078ed8aadc42f6109 
round[12].im_col aec9bda23e7fd8aff96d74525cdce4e7 
round[12].ik_sch 2a2840c924234cc026244cc5202748c4 
round[13].istart 84elfd6bla5c946fdf4938977cfbac23 
round[13].is_box 4fe0210543a7e706efa476850163aa32 
round[13].is_row 4f63760643e0aa85efa7213201a4e705 
round[13].im_col 794cf891177bfdlddf67a744acd9c4f6 
round[13].ik_sch lalf181dlelblcl91217101516131411 
round[14].istart 6353e08c0960el04cd70b751bacad0e7 
round[14].is_box 0050a0f04090e03080d02070c01060b0 
round[14].is_row 00102030405060708090a0b0c0d0e0f0 
round[14].ik_sch 000102030405060708090a0b0c0d0e0f 
round[14].ioutput 00112233445566778899aabbccddeeff 
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